Which!!! discover contactless security flaw

The folks over at Which!!! have found a security flaw in contactless cards, which could potentially be something that criminals could exploit, and spend a load of money with your card.

There's a limit on how much you can spend via a contactless payment, but the watchdog found that, by buying some cheap contactless card-reading technology, they were able to remotely make off with key details from a contactless card, and then use the info to buy stuff, including a telly that was worth £3,000.

That is considerably more than the £20 limit (increasing to £30 in September).

Which!!! tested 10 cards, and they found that, via software from what they call 'a mainstream website', they could read the card number and expiry date from all 10 cards. Don't worry - the cards came from volunteers.

They were not able to get the CVV security code from the back of the cards, but it turned out that this didn't matter, as they were able to make purchases without the cardholder's name or CVV code.

With their dodgy reader, a mere tap saw Which!!! getting enough details to enable a trip to the online shops, and thanks to online transactions not being subject to a limit, some scamster could go crazy with your card.

Peter Eisenegger, a security expert who helped develop EU standards for contactless cards, told Which!!! that it would be possible for crims to get a card reader that could lift your details from further away than the one in this test.

He said: "It's vital to protect consumers from fraudsters who have the knowhow to develop mobile card readers with much greater reading distances than those used by retailers."

3 comments

1 year agoInspector G.

Surely the vulnerability is with websites taking payments without the CVV code and name, not with contactless technology itself? And the only people who are actually vulnerable will be the websites with dodgy security or the banks; not the general public.

I have an RF blocking wallet to store my contactless cards in, the only drawback is they are exposed when I pull them out of my wallet...
The problem does not just exist with the vulnerable web site, the issue also lies with a card that gives its details out when you don't ant it to. If the contactless cards had a push button on them you had to press to use it that would help (though not make it secure) as the card would only work when you wanted to make a payment (though theft would still be an issue).
Having a card you needed to put your pin into (with a little keypad on the back) would make it more secure and wouldn't release any details unless the correct pin had been entered!

@ITF - "Having a card you needed to put your pin into (with a little keypad on the back) would make it more secure and wouldn’t release any details unless the correct pin had been entered!", I think you're missing the point of contactless technology! And theft isn;t an issue as your bank covers 100% of losses for theft.